What I Do At Work

This is an archived post
This is an archived post

Lion Server Profile Manager: First Day Experiences

October 19 2011, 1:38 PM by Mike Boylan

Today I finally had the time to begin experimenting with Profile Manager built into Mac OS X Lion Server. Apple's documentation is extremely poor to say the least, so that has forced me to make some assumptions based solely on discoveries of my own throughout the day. If any of them are wrong, please leave a comment and let me know otherwise.

Here's what I found.

Setup

The setup process for Profile Manager and the MDM server bundled into it is extremely easy.

Ensure proper DNS and then setup the server to be an Open Directory Master.

Create a new self-signed certificate and use that to generate a CSR for a real CA. We use Entrust here at RMU.

Submit your CSR, get a real, valid, SSL certificate and then replace the self-signed cert with the one signed by your CA of choice.

Install any intermediate certificates and then select the new cert to be the primary one for the server.

Click the "Edit" button next to "Device Management" on the Profile Manager pane of Server.app and go through the steps, one of which being the process of acquiring an Apple Push Notification Sevice (APNS) certificate.

Check the box for "Sign configuration profiles" and use the self-signed OD CA Code Signing Certificate, or purchase a real code-signing certificate from a CA (not really necessary).

If you want to change the name of the global settings for everyone profile, do that.

After logging in, you're presented with an "oh wow this is pretty" website. But imemdiately after the "wow" factor wears off is when you're left hoping for more detailed documentation. Similarly to Workgroup Manager, it's clear that you can assign profiles at the User, Group, Computer, or Computer Group level. Clicking around the various groups and users shows it's not very difficult to build different profiles for respectively different groups. However, there's no documentation on levels of precidence nor on how conflicting settings will interact. Initial testing by Arek Dreyer shows that Device profiles tend to take precedince over User or User Group profiles. Also gone is the concept of "Always", "Often", "Once", and "Never". Things applied through the use of Profiles essentially are always at the "Always" level of persistency.

Things that should be documented

By default, everyone is in the "Everyone" group. The "Everyone" group has the option checked to allow members of the group to "Enable Remote Management" under "Portal Access." This means that by default, everyone can enroll their devices into Profile Manager; probably not what you want to have enabled. It also means that trying to turn off the ability to enroll devices is greyed out at the user level. Disabling the option at the group level then of course unlocks the ability to set it per-user.

Only admins can see Enrollment profiles when logged in to the user portal.

You cannot pre-associate a user with a device. Therefore profiles configured for devices and device groups will never show as available for download in the user portal. Only user and user group profiles will show.

Along with number 3, if you set a profile's distribution type to "Manual Download," it will only show in the list in the user portal if it is a user or user group profile, not a device or device group profile.

Along with number 3 and 4, if a device or device group profile distribution method is set to "Manual Download", the only way to get access to these is to download them as an admin through the admin portal and distribute them via some other means. They will never be shown in the user portal.

There is currently no way to lock trust profiles or device management profiles. Only configuration profiles. This means an admin user can easily remove their device from device management.

Why anyone would ever need more than two, a "Restricted" and and an "Unrestricted", enrollment profiles. The only option for enrollment profiles is whether or not the computer is required to be in the devices list prior to enrolling. Maybe I'm not understanding these properly, but here at RMU I imagine I'd only ever use a Restricted Enrollment Profile? Perhaps I'd want more if I want a more granular view of the "Usage" of the particular enrollment profile?

Bugs I found

My trust profile didn't immediately show in the user portal as available for download. In Server.app, even though it was already selected, I had to select the code-signing OD CA self-signed certificate again and profile manager rewrote the settings. It then became available for download. This happens after every restart of the Profile Manager service.

My trust profile is named "Trust profile for" but is missing the domain or name of the server. Running "sudo serveradmin settings devicemgr:server_organization = fqdn.example.com has no effect.

Using Firefox 7 with the admin web interface presented some problems. Active tasks wouldn't change to completed unless I reloaded manually. Safari also had some issues with this, but less often.

When manually importing a plist to the "Custom Settings" section of a profile, you're unable to delete more than one key out of that plist at a time. Pressing shift or command to select multiple items does not work. For example, if you import the Safari plist but only need the HomePage key, you'll be there for quite awhile clicking "delete" on the unneeded keys. As a workaround, write a plist to your desktop with the same name only containing the keys you need. Then upload that.

There is no way to resize the columns in the "Activity" panes in the admin portal. There is a lot of available screen space but the web app keeps the columns super tiny.

Overall first day experiences

A lot of bugs. A lot of confusion. Shit poor documentation. The best third-party resource I currently know of is Arek Dreyer's presentation at MacSysAdmin 2011. Listen to his presentation; it has a lot of good sidenotes.

Remote wipe and remote lock are both cool. Note that remote lock immediately reboots the machine; there is no prompt and no opportunity to save.

If this is the tool that Apple wants us to use to replace MCX and Workgroup Manager, it's got a long way to go. MCX is well understood and has extremely detailed documentation. We sys admins don't just want to know how to do something, we want to know WHY it works the way it does and what to do when it doesn't. This was my favorite line from the Apple Profile Manager documentation:

To send the URL of the Profile Manager server to a user so they can log in and download the configuration profiles you assigned to them, click the arrow next to Visit User Portal, then copy the URL from the browser window that opens.

Thank you, Apple, for that extremely helpful lesson on copying and pasting. I could have never figured that out by myself!

I'll leave off with this. Profile Manager's logging isn't so bad. But often it says this:

I've got some bugs to add to your list. One of these bugs extends to Lion Server's web service. Let me explain.

There have been issues with the Server App inadvertently rewriting the website configuration files, (located at /etc/apache/sites) since Lion Server v10.7. The Server App wouldn't, and still won't let you remove or edit the server's default website. If one was to try and add a website using the Server App, the default website would completely break and cease to function. Upon closer inspection, the default website's configuration files would be overwritten. Mainly the document root would get changed to "/var/empty." Furthermore, prior to 10.7.3 there was no way to specify additional domains, redirects, index files, set an SSL for the site or to even "Allow Overrides."

After using the Server App to add and publish one or more websites, it became necessary to manual edit the configuration files in the /etc/apache2/sites directory, using the Text Editor app (or my favorite, Text Wrangler). Even though, with every start/stop of the web service or newly added website, these files would once again be over written. To keep the Sever App from overwritting these files, I had to manually edit the default website's configuration file to use the server's local IPv4 address, rather than the default wildcard value of *. After manually editing these configuration files and deleting the shadow.conf files completely, the Server App could no longer save any changes, meaning the only way to add another site was to create the site's configuration files manually.

The functionality added in the 10.7.3 update seemed to fix this problem....that is until you enable Profile Manager. Even from a clean installation of Lion Server 10.7.3 you have to make a choice.

1. Do you want to host websites? 2. Do you want to run Profile Manager?

You can't have your cake and eat it too. With the Profile Manager service configured and turned on, if you are hosting any websites other than the default server website, when you go to https://server.example.com/profilemanager, you'll receive a message that profile manager isn't turned on (even though it's showing that it's on in the Server App). Https://server.example.com/mydevices will return a 404 not found error. Take down all the sites that you added to the Web service and you or your users can log in and access the web based Profile Manager service just fine.

Here is the biggest bug I've seen yet. As I'm preparing for my ACTC 10.7 recertification exam, I installed a "Trust Profile" and "Enrolled" my late 2010 MacBook Air. Then using the web based interface I remotely locked my computer. No big deal. I've locked my MacBook Pro, 24 and 27 inch iMac, and Mac Mini Server and had no trouble whatsoever getting them unlocked with the passcode I set. The MacBook Air on the other hand is now locked up tighter than Obama's college transcripts and unless the fine folks at Apple's Enterprise department can help me tommorow, I've got a $999.00 paper weight.

Logging into https://server.example.com/profilemanager, I've selected "completed tasks" and see that the lock command was successfully sent. I can even select that task and view the 6 digit passcode that I used to lock it with. But no way, no how will that MacBook Air take that code.

It's very disparaging. I want to like Lion Server and I do. It just makes my head spin that they don't even have the bugs worked out of Lion yet and in less than a year I'll once again be faced with similar issues as I prepare for my Mountain Lion certs.

Mar 15 2012, 9:54 PM

Mike Boylan responded:

Hey John... ouch. That sounds like a bag of pain. Have you filed rdar's for any of those?

Mar 15 2012, 11:38 PM

John Lochert responded:

Hey Mike, no I never did file any bug reports with the developer program. After the amount of time and research I invested sorting out the web service issue, I assumed they knew about it. I just rolled my server back to 10.6.8 for the time being and waited patiently until 10.7.3 was released.

I may go ahead and file a report documenting how the Web Service breaks the Profile Manager service. But I definately am planning on filing a report on the Profile Manager locking me out of the MacBook Air.

I spoke with the folks in Apple's Enterprise Support department today. They told me that I'd have to take it to an Authorized Service Provider or the Apple Store. I explained that while I'm not an AASP, I am an ACTC and ACMT with my own legitimate Mac Repair and Consultation company here in Kansas City that they can verify. That didn't make a difference to them.

Anyway, I let them schedule the appointment and in the meantime I called a couple other techs in my area to see if they'd had any similar issues and if so, how they dealt with them. But since the MBA's memory can't be removed, they didn't know.

I spent an hour at the Apple Store, (which btw they were very professional and as helpful as they could be) but they couldn't unlock it either. At this point they have to file a request and have a key generated to flash the EFI firmware.

Like I said, I will file a report pending the final outcome of this. But as any good knucklehead would do, as soon as they get it flashed and unlocked for me, I've got a placeholder set and I'm going to enroll it and lock it again right in front of them. I want to see if this was a fluke or a bug related to the MBA.

Mar 20 2012, 10:41 AM

Kostas Backas responded:

I can confirm the Web and Profile manager $#$.

Looking forward to have the Web section usable.

Kostas

Apr 5 2012, 6:23 PM

Avi_sound responded:

Simple question that I hope you guys can explain how to: I read everywhere that it is an easy thing to set policies, settings and behavior of client devices with profile manager. While I find that the build in controls in profile manager are easy to figure out I'm having trouble figuring out how to set up policies that control screensavers, desktop preferences, wallpaper and such. Specifically I am interested in creating a profile that enforce screen saver to kick in after xxx minutes and require a password to unlock the screen. I want it to be a device depended so all users are inheriting the profile, new and old. I assume this would be done by including the plist for the screen saver in the custom list but how to specify it should be pushed to /library/Preferences as oppose to ~/library/...it may be trivial to an experienced person but not so easy to one who rely on documentation that does not exist.Thanks in advance

Apr 5 2012, 7:45 PM

John Lochert responded:

Avi_Sound:

If you're looking for granular control over features such as: screensaver, desktop preferences, wallpaper and screen saver preferences then you would want to download the Server Admin Tools from Apple's website. After which, you could set these preferences using the Workgroup Manager app.

You can set these preferences by User, User Group, Computer or Computer Group. The downside is that you won't be able to manage iOS devices using Workgroup Manager. Additionally, I haven't taken the time to explore whether or not these settings will conflict or override any policies put into effect by the Profile Manager service. From my personal experience with Lion Server, it wouldn't surprise me a bit if it didn't bring the whole server crashing down. lol

Also, if Workgroup Manager is the route you want to go, you have to bind all of the workstations that you want to manage to the server. You'll also want to be sure that there is a "computer record" for each of these workstations on the server. The computer records should include the clients Hardware UUID and Ethernet ID at a minimum. I don't believe that you HAVE to define the local IPv4 address, but if the IP's are static and you know them, go ahead and add that information as well.

Lastly, if the Macs that you are wishing to manage are not permanent fixtures on your local network, that will throw a wrench in this plan. Binding over a WAN is possible, but I've only been able to bind after establishing a VPN connection first. Without the VPN connection, the workstation will lose connection to the network server. Without a connection to the network server, the preferences that you already pushed out will stay in effect, however, you won't be able to push out any other preferences until the workstation is once again connected to the network server.

Just to be clear, when I'm talking about "binding" and "network server," Open System Preferences and then select "Users & Groups" and then select "Login Options." To "bind" the workstation click the "Join" button next to the "Network Account Server." At that point you've got to type the server's address and provide the username and password. Depending on whether your server has authenticated directory binding enabled or not, you may have to provide a directory administrator's credentials to complete the binding process.

Once you're successfully bound to the server, you will see the server address in your System Preferences window with a little green light next to it.

Hope this helps. And being this is Mike's blog, I hope I haven't stepped on any toes with my reply.

By the way, Profile Manager is AWESOME! I love it, but they need to work on the security of the iOS devices. It doesn't matter that you can prevent users from removing the profiles that your pushing out, when you can't keep them from removing the Remote Management and Trust Profiles (which are required to push out the managed profile settings. UGH!!!

Apr 9 2012, 8:49 AM

Avi_Sound responded:

John,Thanks for the extensive reply, very helpful. I have the Server Admin installed and running. Doesn't look like there is a conflict between it and PM, I'll give it a try. Luckily I have no iOS devices I need to manage only desktops; also, all the machines I need to manage are inside the network.I still hope there is a way to do it all with PM. looks like it is 85% there and although there are issues and no proper documentations those who write reviews claim it is the tool to use for a complete solution including screen saver, desktop and other preference control.